“Hangover Group is a cyberespionage group that was first observed in December 2013 carrying on a cyberattack against a telecom corporation in Norway. Cybersecurity firm Norman reported that the cyberattacks were emerging from India and the group sought and carried on attacks against targets of national interest, such as Pakistan and China. However, there have been indicators of Hangover activity in the U.S. and Europe. Mainly focusing on government, military, and civilian organizations. The Hangover Group’s initial vector of compromise is to carry out spear-phishing campaigns. The group uses local and topical news lures from the South Asia region to make their victims more prone to falling into their social engineering techniques, making them download and execute a weaponized Microsoft Office document. After the user executes the weaponized document, backdoor communication is established between BackConfig and the threat actors, allowing attackers to carry on espionage activity, potentially exfiltrating sensitive data from compromised systems.” https://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/

“All National Health Service (NHS) and social care organisations in the United Kingdom have always been and will always be a target for bad actors. The nature of their business and the sensitive data they hold make these entities appealing to bad actors who know that legacy systems, and/or, not regularly patched systems, such as those employed by healthcare organizations are easy to penetrate. Such attackers also figure that they can easily use disrupted IT assets within hospitals to get what they want.” https://www.tripwire.com/state-of-security/healthcare/nhs-uk-healthcare-orgs-boost-security-covid-19/

“The deep web and the dark web are two distinctly different things. The dark web is merely dark because of its more limited accessibility; however the public misconception has led to the belief that the dark web is a realm for cybercrime. Still, cybersecurity is a huge issue for companies and individuals. Personal data such as name, address, email address, and phone number are on the Internet. Data breaches and hacking cost the global economy more than $400 billion of losses annually. Most cyberattacks happen through the dark web.” https://www.threathunting.se/2020/06/04/what-is-the-dark-web/

“A Chinese threat actor has developed new capabilities to target air-gapped systems in an attempt to exfiltrate sensitive data for espionage, according to a newly published research by Kaspersky yesterday. The APT, known as Cycldek, Goblin Panda, or Conimes, employs an extensive toolset for lateral movement and information stealing in victim networks, including previously unreported custom tools, tactics, and procedures in attacks against government agencies in Vietnam, Thailand, and Laos.” https://thehackernews.com/2020/06/air-gap-malware-usbculprit.html

“The app, created by Jaipur, India-based developer OneTouch AppLabs, purported to scan Android phones for any apps with links to China. It used market research to identify apps from a named list and would then offer users the chance to wipe them from the user’s phone. Demos found online showed it deleting TikTok, the popular messaging app owned by Chinese developer ByteDance, and UC Browser, developed by Alibaba-owned UCWeb. It also also reportedly deleted the app for the Zoom videoconferencing service, which the Munk School’s Citizen Lab revealed was sending encryption keys to Chinese servers.” https://nakedsecurity.sophos.com/2020/06/04/google-deletes-indian-app-that-deleted-chinese-apps/

“Sky News reported on Wednesday that the contractor, Westech International, has confirmed that it’s been hacked and that its computers have been encrypted. It’s not yet clear if the extortionists managed to steal classified military information. Investigations to identify exactly what they got away with are still ongoing. However, the attackers have already leaked files that suggest they had access to sensitive data – including payroll and emails – that they copied before they encrypted it, Sky News reports. They’re threatening to publish all of the files.” https://nakedsecurity.sophos.com/2020/06/04/nuclear-missile-contractor-hacked-in-maze-ransomware-attack/

“A 64-year-old man has pleaded guilty in a Texan court to charges of money laundering after a series of attacks that defrauded companies out of hundreds of thousands of dollars. Kenenty Hwan Kim (who sometimes went by the name Myung Kim) took advantage of a simple trick that has proven highly effective to fraudsters in recent years. The method of tricking businesses into handing over large amounts of money is known as Business Email Compromise (BEC), and comes in a variety of flavours.” https://www.tripwire.com/state-of-security/featured/the-scammer-launder-business-email-compromise/

“Recorded Future catalogued more than 200 publicly reported ransomware attacks against banking and financial institutions outside of the United States between April 2019 and April 2020. During the same period, there were just over 40 publicly reported ransomware attacks against financial institutions in the United States.” https://www.recordedfuture.com/finance-ransomware-attacks/

“Signal, the popular encrypted messaging app, will release a feature that enables users to blur faces in photos they share, Signal Foundation co-founder Moxie Marlinspike said Wednesday. The feature will be built into forthcoming versions of Signal for Android and iOS to automatically detect faces and obscure them. For faces that aren’t detected, the user can manually blur the image before sending” https://www.cyberscoop.com/george-floyd-protest-phone-security/

“After researchers conducted forensic investigations at a European educational institution, they uncovered that attackers had gained access to the unnamed institution through an internet-connected remote desktop server, according to the Blackberry Research and Intelligence Team. The ransomware, which Blackberry has dubbed Tycoon, uses a little known Java image format to avoid detection and then encrypts file servers, locking administrators out unless they pay a ransom.” https://www.cyberscoop.com/tycoon-ransomware-java-blackberry-kpmg/

“The traditional image of a successful email attack is that of a naive employee clicking the link in a crudely crafted spam email bent on phishing. But times have changed, and employees are much more security-educated than they used to be. So, today’s threat actors are creating increasingly sophisticated business email compromise (BEC) attacks that rely on social engineering and lack the common threat signals to trigger detection.” https://threatpost.com/understanding-payload-less-email-attacks/156299/

“The Maze Ransomware operators are claiming to have successfully attacked business services giant Conduent, where they stole unencrypted files and encrypted devices on their network. Conduent is a New Jersey, USA based business services firm with 67,000 employees and a 2019 business revenue of $4.47 billion. Today, Maze Ransomware posted a new entry to their data leak site that states that they breached the network for Conduent in May 2020.” https://www.bleepingcomputer.com/news/security/business-services-giant-conduent-hit-by-maze-ransomware/

“Living in the cyber-based world of ours these days, no one can deny the effect of the internet and cyber world on our lives. Nearly 4.5 billion people out of 7.77 are considered active internet users nowadays and around 1.75 billion websites exist on the internet, providing a wide range of content and services. Besides all the great impacts of this web-based platform on our every-day life tough, the dangers and threats in the cyber world are great as well. Cyber-attacks by black hat hackers have risen to be one of the greatest threats to businesses and individuals” https://www.threathunting.se/2020/06/03/all-you-need-know-bug-bounty/

“Multiple vulnerabilities have been discovered in Mozilla Firefox, the most severe of which could allow for remote code execution. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.” https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-mozilla-firefox-could-allow-for-remote-code-execution_2020-075/

“The rate of mobile phishing rose sharply between the last quarter of 2019 and the first quarter of 2020, a boost most likely due to the increased number of people working from home due to COVID-19 stay-at-home orders, new research has found. In fact, encounter rates for enterprise mobile phishing increased 37 percent between the last quarter of 2019 and the first quarter of 2020, from around 16 percent to 22 percent.” https://threatpost.com/enterprise-mobile-phishing-pandemic/156236/

“The San Francisco Employees’ Retirement System (SFERS) has suffered a data breach after an unauthorized person gained access to a database hosted in a test environment. SFERS manages the benefits program for active and retired employees of San Francisco, California. In a data breach notification filed today, SFERS stated that one of their vendors had set up a test environment that included a database containing the information for approximately 74,000 SFERS members.” https://www.bleepingcomputer.com/news/security/san-francisco-retirement-program-sfers-suffers-data-breach/

“A new module for the infamous trojan known as TrickBot has been deployed: A stealthy backdoor that researchers call “BazarBackdoor.” The binary was first spotted being delivered as part of a phishing campaign that began in March, according to an analysis from Panda Security this week. The campaign used the legitimate marketing platform Sendgrid to reach targets in a mass-mailing fashion; however, the emails were well-crafted, with the operators making an effort to make the phishing links inside the emails look legitimate. The link addresses also corresponded to the emails’ lures, researchers said.” https://threatpost.com/trickbot-bazarbackdoor-malware-arsenal/156243/

“Microsoft Office 365 customers are targeted by a phishing campaign using bait messages camouflaged as notifications sent by their organization to update the VPN configuration they use to access company assets while working from home. The phishing emails impersonating VPN configuration update requests sent by their company’s IT support department have so far landed in the inboxes of up to 15,000 targets according to stats from researchers at email security company Abnormal Security.” https://www.bleepingcomputer.com/news/security/office-365-phishing-baits-remote-workers-with-fake-vpn-configs/

“Attackers were spotted targeting over one million WordPress websites in a campaign over the weekend. The campaign unsuccessfully attempted to exploit old cross-site scripting (XSS) vulnerabilities in WordPress plugins and themes, with the goal of harvesting database credentials. The attacks were aiming to download wp-config.php, a file critical to all WordPress installations. The file is located in the root of WordPress file directories and contains websites’ database credentials and connection information, in addition to authentication unique keys and salts. By downloading the sites’ configuration files, an attacker would gain access to the site’s database, where site content and credentials are stored, said researchers with Wordfence who spotted the attack.” https://threatpost.com/attackers-target-1m-wordpress-sites-to-harvest-database-credentials/156255/

“The Cycldek APT group has added a previously unknown malware dubbed USBCulprit to its arsenal, aimed at reaching air-gapped devices.Cycldek (a.k.a. Goblin Panda, APT 27 and Conimes) has been targeting governments in Southeast Asia since 2013, according to analysis from Kaspersky, and has been steadily adding more sophisticated tools over time. In the case of USBCulprit, it has been deployed against targets in Vietnam, Thailand and Laos, according to the firm.” https://threatpost.com/info-stealer-air-gapped-devices-usb/156262/

“Cybersecurity researchers today disclosed details for a new vulnerability in VMware’s Cloud Director platform that could potentially allow an attacker to gain access to sensitive information and control private clouds within an entire infrastructure. Tracked as CVE-2020-3956, the code injection flaw stems from an improper input handling that could be abused by an authenticated attacker to send malicious traffic to Cloud Director, leading to the execution of arbitrary code. It’s rated 8.8 out of 10 on the CVSS v.3 vulnerability severity scale, making it a critical vulnerability.” https://thehackernews.com/2020/06/vmware-cloud-director-exploit.html

“There are positive and negatives to both a centralised and decentralised model. But there is definitely an advantage of using an Operating System developed feature over a custom developed application. The marriage of software and hardware by Google and Apple means better performance, better battery life and resilience. If a centralised model is required, then steps like NHS health authority have taken to ensure personal data is protected or not collected in the first place, must be a priority.” https://www.tripwire.com/state-of-security/healthcare/contact-tracing-ensure-user-privacy-security/

“An unauthenticated attacker can route network traffic through a vulnerable device, which may lead to reflective DDoS, information leak and bypass of network access controls,” reads the advisory published by the CERT Coordination Center (CERT/CC). “An IP-in-IP device is considered to be vulnerable if it accepts IP-in-IP packets from any source to any destination without explicit configuration between the specified source and destination IP addresses. This unexpected Data Processing Error (CWE-19) by a vulnerable device can be abused to perform reflective DDoS and in certain scenarios used to bypass network access control lists.” https://securityaffairs.co/wordpress/104192/security/ip-in-ip-flaw-cisco.html

“A successful exploit could cause the affected device to unexpectedly decapsulate the IP-in-IP packet and forward the inner IP packet,” according to Cisco’s security advisory, published on Monday. “This may result in IP packets bypassing input ACLs configured on the affected device or other security boundaries defined elsewhere in the network.” https://threatpost.com/cisco-dos-flaw-nexus-switches/156203/

“A totally connected world will also be especially susceptible to cyberattacks. Even before the introduction of 5G networks, hackers have breached the control center of a municipal dam system, stopped an Internet-connected car as it travelled down an interstate, and sabotaged home appliances. Ransomware, malware, crypto-jacking, identity theft, and data breaches have become so common that more Americans are afraid of cybercrime than they are of becoming a victim of violent crime.” https://www.tripwire.com/state-of-security/security-data-protection/cybersecurity-implications-5g-technology/

“The main goals and responsibilities of a SOC team are continuously monitoring security, detecting, analyzing, and responding to security incidents in the best way possible using processes and technology. The SOC team is also in charge of proactively investigating abnormal activity and correctly identifying and defending threats to maintain the safety of the infrastructure. Other than specialized expertise, security analysts need to think outside the box when it comes to threat response and also learn progressively.” https://www.threathunting.se/2020/06/01/get-to-know-the-roles-of-soc-analyst-and-the-soc-team-threat-hunter/

“An exploitable denial-of-service vulnerability exists in VMware Workstation, version 15.5.0, build-14665864. A specially crafted pixel shader can cause a denial of service. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from a VMware guest and the VMware host will be affected, leading to vmware-vmx.exe process crash on the host.” https://blog.talosintelligence.com/2020/06/vulnerability-spotlight-vmware.html

“Rod Rosenstein, a former deputy attorney general at the Department of Justice, has been providing counsel on cybersecurity and national security to NSO Group, the Israeli software surveillance firm accused of spying on human rights activists and journalists, according tocourt documents obtained by CyberScoop.” https://www.cyberscoop.com/rod-rosenstein-nso-group-whatsapp/

“The office of Minnesota Gov. Tim Walz says the National Security Agency did not provide the state with signals intelligence as its law enforcement agencies responded to protests against the killing of George Floyd. For awhile this weekend, though, the governor stirred up some confusion about whether the intelligence agency could do so.” https://www.cyberscoop.com/george-floyd-minnesota-nsa-surveillance/

“Phishing emails, used as the initial attack vector, were tailored and customized under the specific language for each specific victim. The malware used in this attack performed destructive activity only if the operating system had a localization that matched the language used in the phishing email.” reads the report published by Kaspersky. “For example, in the case of an attack on a company from Japan, the text of a phishing email and a Microsoft Office document containing a malicious macro were written in Japanese. “ https://securityaffairs.co/wordpress/103971/hacking/industrial-enterprises-attacks-steganography.html

“Designing a robust command and control infrastructure involves creating multiple layers of command and control. This can be described as tiers. Each tier offers a level of capability and covertness. The idea of using multiple tiers is the same as not putting all your eggs in one basket. If c2 is detected and blocked, having a backup allows operations to continue. C2 tiers generally fall into three categories: Interactive, Short-Haul, and Long-Haul. These are sometimes labeled as Tier I, 2, or 3. There is nothing unique to each tier other than how they are used.” https://www.threathunting.se/2020/05/29/command-control-c2-tier/

“Vitalii Antonenko was charged in Massachusetts on multiple counts of conspiracy – to commit computer hacking, launder money and traffic in stolen payment card numbers – in connection with a scheme to sell stolen data on cybercriminal markets. The U.S. Department of Justice announced on Wednesday that Antonenko, 28, was apprehended in March upon his arrival at John F. Kennedy Airport from Ukraine. He was charged Tuesday.” https://www.cyberscoop.com/hacker-arrest-nyc-jfk-airport/